npmpackage.info

Gathering detailed insights and metrics for validate-commit-msg

Other packages similar to validate-commit-msg

validate-commit-msg-smart

1.1.2

Script to validate a commit message follows the conventional changelog standard

validate-commit-message

3.2.0

GIT COMMIT-MSG hook for validating commit message.

validate-conventional-commit

1.0.4

Smallest simplest conventional commit validator to use with eg Husky

validate-commit-msg-bot

1.0.2

validate-commit-msg aaS

Gathering detailed insights and metrics for validate-commit-msg

validate-commit-msg - 2.14.0 | npmpackage.info

validate-commit-msg

DEPRECATED. Use https://github.com/marionebl/commitlint instead. githook to validate commit messages are up to standard

2.14.0

557

MIT

JavaScript

Installations

npm install validate-commit-msg

Developer Guide

BETA

Typescript

No

Module System

CommonJS

Node Version

6.11.1

NPM Version

3.10.10 Score

98.2

Supply Chain

98.5

Quality

79.2

Maintenance

Vulnerability

100

License

Pull Requests

Open

0

Total

72

Closed

11

Merged

61

Issues

Open

0

Total

46

Closed

46

Releases

v2.14.0

Updated on Jul 29, 2017

v2.13.1

Updated on Jul 23, 2017

v2.13.0

Updated on Jul 20, 2017

v2.12.2

Updated on Jun 08, 2017

v2.12.1

Updated on Apr 04, 2017

v2.12.0

Updated on Mar 31, 2017

View All 33 releases

Languages

JavaScript

JavaScript (100%)

Developer

conventional-changelog

Download Statistics

Total Downloads

Last Day

Last Week

Last Month

Last Year

GitHub Statistics

MIT License

557 Stars

97 Commits

101 Forks

7 Watchers

1 Branches

33 Contributors

Updated on Jul 14, 2025

Maintainers

View All 33 Contributors

Package Meta Information

Latest Version

2.14.0

Package Id

validate-commit-msg@2.14.0

Size

8.95 kB

NPM Version

3.10.10

Node Version

6.11.1

Published on

Jul 29, 2017

Total Downloads

Cumulative downloads

Total Downloads

NaN

Last Day

NaN

Compared to previous day

Last Week

NaN

Compared to previous week

Last Month

NaN

Compared to previous month

Last Year

NaN

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

conventional-commit-types find-parent-dir findup semver-regex

Dev Dependencies

all-contributors-cli chai codecov.io commitizen cz-conventional-changelog husky istanbul mkdirp mocha opt-cli rimraf semantic-release sinon

validate-commit-msg

This provides you a binary that you can use as a githook to validate the commit message. I recommend husky. You'll want to make this part of the commit-msg githook, e.g. when using husky, add "commitmsg": "validate-commit-msg" to your npm scripts in package.json.

Validates that your commit message follows this format:

<type>(<scope>): <subject>

Or without optional scope:

<type>: <subject>

Installation

This module is distributed via npm which is bundled with node and should be installed as one of your project's devDependencies:

npm install --save-dev validate-commit-msg

Usage

options

You can specify options in .vcmrc. It must be valid JSON file. The default configuration object is:

1{
2  "types": ["feat", "fix", "docs", "style", "refactor", "perf", "test", "build", "ci", "chore", "revert"],
3  "scope": {
4    "required": false,
5    "allowed": ["*"],
6    "validate": false,
7    "multiple": false
8  },
9  "warnOnFail": false,
10  "maxSubjectLength": 100,
11  "subjectPattern": ".+",
12  "subjectPatternErrorMsg": "subject does not match subject pattern!",
13  "helpMessage": "",
14  "autoFix": false
15}

Alternatively, options can be specified in package.json:

1{
2  "config": {
3    "validate-commit-msg": {
4      /* your config here */
5    }
6  }
7}

.vcmrc has precedence, if it does not exist, then package.json will be used.

types

These are the types that are allowed for your commit message. If omitted, the value is what is shown above.

You can also specify: "types": "*" to indicate that you don't wish to validate types.

Or you can specify the name of a module that exports types according to the conventional-commit-types spec, e.g. "types": "conventional-commit-types".

scope

This object defines scope requirements for the commit message. Possible properties are:

required

A boolean to define whether a scope is required for all commit messages.

allowed

An array of scopes that are allowed for your commit message.

You may also define it as "*" which is the default to allow any scope names.

validate

A boolean to define whether or not to validate the scope(s) provided.

multiple

A boolean to define whether or not to allow multiple scopes.

warnOnFail

If this is set to true errors will be logged to the console, however the commit will still pass.

maxSubjectLength

This will control the maximum length of the subject.

subjectPattern

Optional, accepts a RegExp to match the commit message subject against.

subjectPatternErrorMsg

If subjectPattern is provided, this message will be displayed if the commit message subject does not match the pattern.

helpMessage

If provided, the helpMessage string is displayed when a commit message is not valid. This allows projects to provide a better developer experience for new contributors.

The helpMessage also supports interpolating a single %s with the original commit message.

autoFix

If this is set to true, type will be auto fixed to all lowercase, subject first letter will be lowercased, and the commit will pass (assuming there's nothing else wrong with it).

Node

Through node you can use as follows

1var validateMessage = require('validate-commit-msg');
2
3var valid = validateMessage('chore(index): an example commit message');
4
5// valid = true

CI

You can use your CI to validate your last commit message:

validate-commit-msg "$(git log -1 --pretty=%B)"

Note this will only validate the last commit message, not all messages in a pull request.

Monorepo

If your lerna repo looks something like this:

my-lerna-repo/
  package.json
  packages/
    package-1/
      package.json
    package-2/
      package.json

The scope of your commit message should be one (or more) of the packages:

EG:

1{
2  "config": {
3    "validate-commit-msg": {
4      "scope": {
5        "required": true,
6        "allowed": ["package-1", "package-2"],
7        "validate": true,
8        "multiple": true
9      },
10    }
11  }
12}

Other notes

If the commit message begins with WIP then none of the validation will happen.

Credits

This was originally developed by contributors to the angular.js project. I pulled it out so I could re-use this same kind of thing in other projects.

Contributors

Thanks goes to these wonderful people (emoji key):

_{Kent C. Dodds} ???? ???? ???? ???? ⚠️	_{Remy Sharp} ???? ???? ⚠️	_{Cédric Malard} ???? ⚠️	_{Mark Dalgleish} ????	_{Ryan Kimber} ???? ⚠️	_{Javier Collado} ???? ⚠️	_{Jamis Charles} ???? ⚠️
_{Shawn Erquhart} ???? ???? ⚠️	_{Tushar Mathur} ???? ⚠️	_{Jason Dreyzehner} ???? ???? ⚠️	_{Abimbola Idowu} ????	_{Gleb Bahmutov} ???? ⚠️	_Dennis ????	_{Matt Lewis} ????
_{Tom Vincent} ????	_{Anders D. Johnson} ???? ???? ⚠️	_{James Zetlen} ???? ⚠️	_{Paul Bienkowski} ???? ⚠️	_{Barney Scott} ???? ⚠️	_{Emmanuel Murillo Sánchez} ???? ⚠️	_{Hans Kristian Flaatten} ???? ⚠️
_{Bo Lingen} ????	_{Spyros Ioakeimidis} ???? ???? ⚠️	_{Matt Travi} ????	_{Jonathan Garbee} ???? ???? ⚠️	_{Tobias Lins} ????	_{Max Claus Nunes} ????	_standy ???? ⚠️

This project follows the all-contributors specification. Contributions of any kind welcome!

No vulnerabilities found.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

7

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Security-Policy

Determines if the project has published a security policy.

0

Fuzzing

Determines if the project uses fuzzing.

0

SAST

Determines if the project uses static code analysis.

0

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

Reason

89 existing vulnerabilities detected

Details

Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
Warn: Project is vulnerable to: GHSA-pp7h-53gx-mx7r
Warn: Project is vulnerable to: GHSA-832h-xg76-4gv6
Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Warn: Project is vulnerable to: GHSA-cwfw-4gq5-mrqx
Warn: Project is vulnerable to: GHSA-g95f-p29q-9xw4
Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
Warn: Project is vulnerable to: GHSA-hr2v-3952-633q
Warn: Project is vulnerable to: GHSA-h6ch-v84p-w6p9
Warn: Project is vulnerable to: GHSA-qrmc-fj45-qfc2
Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
Warn: Project is vulnerable to: GHSA-8r6j-v8pm-fqw3
Warn: Project is vulnerable to: MAL-2023-462
Warn: Project is vulnerable to: GHSA-xf7w-r453-m56c
Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
Warn: Project is vulnerable to: GHSA-qh2h-chj9-jffq
Warn: Project is vulnerable to: GHSA-q42p-pg8m-cqh6
Warn: Project is vulnerable to: GHSA-w457-6q6x-cgp9
Warn: Project is vulnerable to: GHSA-62gr-4qp9-h98f
Warn: Project is vulnerable to: GHSA-f52g-6jhx-586p
Warn: Project is vulnerable to: GHSA-2cf5-4w76-r9qv
Warn: Project is vulnerable to: GHSA-3cqr-58rm-57f8
Warn: Project is vulnerable to: GHSA-g9r4-xpmj-mj65
Warn: Project is vulnerable to: GHSA-q2c6-c6pm-g3gh
Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
Warn: Project is vulnerable to: GHSA-jcpv-g9rr-qxrc
Warn: Project is vulnerable to: GHSA-44pw-h2cw-w3vq
Warn: Project is vulnerable to: GHSA-jp4x-w63m-7wgm
Warn: Project is vulnerable to: GHSA-c429-5p7v-vgjp
Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
Warn: Project is vulnerable to: GHSA-8g7p-74h8-hg48
Warn: Project is vulnerable to: GHSA-pc5p-h8pf-mvwp
Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
Warn: Project is vulnerable to: GHSA-4hpf-3wq7-5rpr
Warn: Project is vulnerable to: GHSA-f522-ffg8-j8r6
Warn: Project is vulnerable to: GHSA-2pr6-76vf-7546
Warn: Project is vulnerable to: GHSA-8j8c-7jfh-h6hx
Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
Warn: Project is vulnerable to: GHSA-282f-qqgm-c34q
Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
Warn: Project is vulnerable to: GHSA-f9cm-qmx5-m98h
Warn: Project is vulnerable to: GHSA-7wpw-2hjm-89gp
Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Warn: Project is vulnerable to: GHSA-wrvr-8mpx-r7pp
Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5
Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
Warn: Project is vulnerable to: GHSA-w9mr-4mfr-499f
Warn: Project is vulnerable to: GHSA-57cf-349j-352g
Warn: Project is vulnerable to: GHSA-gqgv-6jq5-jjj9
Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
Warn: Project is vulnerable to: GHSA-6g33-f262-xjp4
Warn: Project is vulnerable to: GHSA-7xfp-9c55-5vqj
Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
Warn: Project is vulnerable to: GHSA-r2j6-p67h-q639
Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
Warn: Project is vulnerable to: GHSA-44c6-4v22-4mhx
Warn: Project is vulnerable to: GHSA-4x5v-gmq8-25ch
Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6
Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj
Warn: Project is vulnerable to: GHSA-2m39-62fm-q8r3
Warn: Project is vulnerable to: GHSA-mf6x-7mm4-x2g7
Warn: Project is vulnerable to: GHSA-j44m-qm6p-hp7m
Warn: Project is vulnerable to: GHSA-3jfq-g458-7qm9
Warn: Project is vulnerable to: GHSA-5955-9wpr-37jh
Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
Warn: Project is vulnerable to: GHSA-g7q5-pjjr-gqvp
Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
Warn: Project is vulnerable to: GHSA-xc7v-wxcw-j472
Warn: Project is vulnerable to: GHSA-332q-7ff2-57h2
Warn: Project is vulnerable to: GHSA-v2p6-4mp7-3r9v
Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp

Score

3

/10

Last Scanned on 2025-07-14

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More